CVE-2023-41326 in GLPI
Summary
by MITRE • 10/25/2023
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with stealing its account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/25/2023
The vulnerability identified as CVE-2023-41326 represents a critical access control flaw within the GLPI IT management platform, specifically affecting the Kanban feature implementation. This issue arises from insufficient authorization checks and input validation mechanisms that allow authenticated users to manipulate user data through the Kanban interface. The vulnerability exists in versions prior to 10.0.10 and demonstrates a significant weakness in the software's privilege escalation controls, where users with minimal profile permissions can exploit the system to gain unauthorized access to other user accounts. The flaw fundamentally undermines the integrity of the user authentication and authorization framework that GLPI relies upon for maintaining secure access to sensitive IT asset and service management data.
The technical exploitation of this vulnerability occurs through the Kanban feature's improper handling of user field modifications, where the system fails to validate whether the requesting user has appropriate permissions to alter specific user attributes. This lack of proper access control validation creates an attack vector that allows any authenticated user to manipulate user data fields, potentially leading to account takeover scenarios. The vulnerability stems from inadequate input sanitization and authorization enforcement within the Kanban module, where user requests to modify fields are not properly verified against the authenticated user's permission levels. This flaw aligns with CWE-285, which addresses improper authorization in software systems, and specifically manifests as a weakness in the authorization enforcement mechanisms that should prevent users from accessing or modifying data beyond their designated privileges.
The operational impact of this vulnerability extends far beyond simple data manipulation, as it creates opportunities for privilege escalation attacks that can compromise the entire IT management infrastructure. An attacker exploiting this vulnerability can potentially gain access to sensitive information including user credentials, system configurations, and asset management data that should remain protected. The implications are particularly severe for organizations relying on GLPI for ITIL service desk operations, as this vulnerability could enable unauthorized users to access confidential service management data, disrupt service delivery, and potentially compromise the integrity of the entire IT asset tracking system. The vulnerability affects all user profiles within the system, making it particularly dangerous as any authenticated user could potentially exploit it regardless of their assigned role or clearance level.
Organizations utilizing GLPI must urgently implement the recommended upgrade to version 10.0.10 to address this critical vulnerability, as no effective workarounds exist to mitigate the risk. The vulnerability's exploitation requires only basic authentication credentials, making it accessible to any user with legitimate access to the system, which significantly increases the attack surface. Security teams should conduct immediate assessments to identify any potential exploitation attempts and implement enhanced monitoring of Kanban feature usage patterns. The vulnerability demonstrates the importance of proper access control implementation in enterprise IT management systems and highlights the need for comprehensive security testing of all user-facing features. Organizations should also consider implementing additional security controls such as role-based access restrictions and enhanced audit logging to detect and prevent unauthorized access attempts. This vulnerability aligns with ATT&CK technique T1078 which covers valid accounts and privilege escalation, emphasizing the need for robust access control mechanisms and proper user permission management in enterprise environments.